Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for January of 2009
Showing posts in English
Eric Chien | 31 Jan 2009 01:32:41 GMT | 0 comments

Reports about Trojan.Bankpatch.C, a sophisticated online banking Trojan, have been hitting the news wires in Denmark. The first version of this threat was released in 2007 and the latest .C variant in August of 2008.  

However, the life of the threat continues today as the authors continue to distribute the threat and update plug-in modules that target specific banks. Most recently they’ve seen some success in Denmark deploying modules specifically focused on obtaining online banking credentials for numerous Danish banks. While Symantec is continuing deeper analysis of the threat’s latest actions and modules, we wanted to provide a high-level overview of the threat.

Usually Bankpatch will arrive via a popular means of infection such as Web pages hosting exploits against Internet Explorer and third-party browser plug-in...

Sai Narayan Nambiar | 30 Jan 2009 20:06:45 GMT | 0 comments

Phishers always try to come up with new tricks to bypass phishing toolbars. So, it’s not really surprising that we've now seen several phishing websites that are using Flash-based content instead of normal HTML. The main objective for the use of Flash-based content is to avoid phishing detection by toolbars that analyze page content.

Symantec has observed some recent examples all targeting reputable brands. These sites look like genuine front pages, but they are actually Flash recreations.

As shown in the above snapshot, if we right click on the Web page it reveals some program options such as "Zoom In," "Show All," and "play" options in the menu instead of the normal options you would see on an HTML page. When you type in login information, the .swf (Shockwave Flash) file displays a new page, asking for...

Dylan Morss | 28 Jan 2009 22:57:35 GMT | 0 comments

What would your Valentine like this year? Perhaps a shopping spree, a watch, cash, or an assortment of E.D. or weight loss pills?
 
We are nearing the end of January and Valentine’s Day spam is in full swing. Spammers have been busy making sure they have the perfect gift for your loved ones this year.
 
The top 20 Valentine’s Day spam subject lines seem more like a laundry list of solutions for a cast of depressed porn stars than an array of truly romantic gifts. What says "Happy Valentine’s Day" quite as well as "Hi Sweetie, here are some weight loss pills for you this year, maybe you can drop a few pounds!"?
 

The top 20 Valentine’s Day-related subject lines for January

Increase your length, the best valentine's gift
Show off your length for valentine's
Get it before Valentine's day and watch her smile
You have been invited to partake...

Mayur Kulkarni | 28 Jan 2009 17:49:49 GMT | 0 comments

During the past few days we have observed a rise in Russian spam that is offering various local trade services at cheap rates. Instead of using the old standby methods, they are spamming out telephone and ICQ numbers in their ads rather than redirecting email recipients to malicious websites, as is usually seen with spam related to pharmacy or watch replicas, for example.

The interesting concept of this spam lies in the simplicity of the localized services offered. For example, the majority of these spam emails consist of ads for everything from audio books to real estate, from personalized accounting services to the installation of auto glass. For these types of services, it may be that maintaining a dedicated website can be costly and unnecessary. Also, this may be an effort to move away from embedding URLs in emails because anti-spam filters commonly block such messages.

The primary action required for the recipients of these spam messages is to call a telephone...

khaley | 28 Jan 2009 17:34:11 GMT | 0 comments

I keep getting asked about what malware Symantec has seen that’s been written to target social networks. While there have certainly been a few such as Koobface, people are asking the wrong question. If the social network sites are paying attention, and to their credit they usually are, these threats can be squashed pretty quickly. It’s not targeted attacks you should be worried about, but adapted attacks. Adapted attacks occur when the bad guys take existing threats and use social networks to increase the effectiveness of the social engineering aspect of the attack. There is nothing like being surrounded by friends to get you to lower you guard.
 
Take the problem we are getting a lot of reports on currently—it’s an advanced payment scam. This is often called a Nigerian 419 scam. (I like to call it the Spanish Prisoner...

Eric Chien | 28 Jan 2009 15:28:21 GMT | 0 comments

Editor’s Note: This is the sixth installment of a multi-part series on specific and interesting aspects of W32.Downadup.

Among other methods, Downadup infects other machines via a remote procedure call (RPC) exploit against the MS08-067 vulnerability. Using the vulnerability, the worm injects shellcode that connects back to the infecting machine. This is known as a back-connect. The back-connect works via HTTP on a randomly selected port and the infecting machine responds to incoming requests by providing the entire worm file. The shellcode receives this file and executes it on the remote host, causing it to then become infected.

However, many home users today use routers or other...

Dermot Harnett | 28 Jan 2009 00:43:57 GMT | 0 comments

As the Chinese New Year (Spring Festival) continues to be celebrated around the world, a recent increase in the abuse of the .cn (China) country code top-level domain (ccTLD) has been observed in spam messages. A top-level domain (TLD) is the part of a domain name that follows the final “dot” of any domain name. A ccTLD is a top-level domain generally reserved or used by a country or dependent territory. As noted in the January 2009 Symantec State of Spam Report, approximately 90 percent of all spam messages today contain some kind of URL. In January 2009, an average of 32.5 percent of the URLs observed have had a .cn ccTLD, compared to the average of 57 percent of URLs that had a .com TLD.

Spammers often rotate domains and TLDs in their spam messages because they likely feel this tactic allows them to circumvent some anti-spam filters that...

Nishant Doshi | 27 Jan 2009 22:12:29 GMT | 0 comments

Welcome back to this blog series on misleading applications. This is the concluding article, so if you need a refresher on what we’ve covered to get to this point, have a look at the first two parts (part 1 and part 2). Essentially, today I’m going to conclude how malicious users gain access to Trojans, fake codec, and fake scanner URLs in order to distribute misleading applications. And, it may be of some interest to discuss why those with malicious intent would do this (easy money, perhaps?), but I’ll break some reasons down for you. Also, I’ll provide some tips to protect your computer from these threats and to keep your eye out for telltale signs of misleading apps.

Pay-per-install: The Source...

Kelly Conley | 27 Jan 2009 19:26:28 GMT | 0 comments

Macau is the only place in China where there is legalized gambling.* In order to gamble legally in China a person would need to spend money on travel and accommodations to get there. Is there a way to avoid the hassle and expenditure of traveling to Macau for those persons that are interested in gambling? Well, it seems that spammers are offering a solution to the Chinese population: gambling online, from the comfort of your home.

Symantec has recently observed what we believe to be the first instance of online casino and sports betting spam using the Chinese language. The layout of the message is very similar to what we frequently see in English-language casino spam. The message asks users to download a number of software packages and register an account. By registering an account, a user automatically becomes eligible for a random amount of free cash or bonus points. This is all a very common occurrence in English-language spam related to gambling. But,...

Eric Chien | 23 Jan 2009 23:20:00 GMT | 0 comments

Editor’s Note: This is the fifth installment of a multi-part series on specific and interesting aspects of W32.Downadup.

The ability of a threat to widely replicate often depends on its algorithm of finding other computers on the Internet, which are represented by an IP address. Downadup uses a variety of techniques to scan for new machines in order to maximize its infection abilities and at the same time minimize the chance of being noticed on a host.

Brute-force network scanning can cause noticeable slowdowns and network issues on the infected machine. Downadup attempts to limit its impact in two ways. Firstly, the worm contacts two well known websites and calculates the computer’s average bandwidth, then uses this value to configure how many simultaneous remote procedure call (RPC) exploit scans are allowed at one time. Secondly, a pause...